The other comments are correct, but let me try for a different phrasing, because it's a complex topic. You have two parts for attestation: The hardware provides the keys and computation for the measurement state that you can't change as a user. The software provides the extra information/measurements to the hardware.
That means you can't simulate the hardware in a way that would allow you to cheat (the keys/method won't match). And you can't replace the software part (the measurements won't match).
It all depends on the third party and the hardware keys not leaking, but at long as you can review the software part, you can be sure the validation of the value sent with the response is enough.
I understand hardware attestation at this level, it's why you couldn't route a hardware attestation from a different machine, that's not the one the user cares about, that I'm working on understanding.
Because to obtain the result of attestation, you'd need to actually run the prompt on the verified machine in the first place. (And in practice the signature would be bound to your response as well)
The attestation report is produced after the user sends a prompt to the LLM? I thought it was the proof the correct model weights are loaded on some machine.
The attestation report is produced ahead of time and verified on each connection (before the prompt is sent). Every time the client connects to do an inference request via one of the Tinfoil SDKs, the attestation report is checked relative to a known-good/public configuration to ensure the connection is to a server that is running the right model.
The attestation is tied to the Modelwrap root hash (the root hash is included in the attestation report) so you know that the machine that is serving the model has the right model weights
The certificate is embedded with the HPKE key accessible only inside the enclave. The code for all this is open source and part of the measurement that is being checked against by the client.
So if the provider attempts to send a different attestation or even route to a different enclave, this client side check would fail.
Is this certificate a TLS certificate? At least the TLS connection the user has should be with the "enclave", not a proxy server. If the connection is with a proxy server, the user can be MITM'd.
Yes, it is a TLS certificate generated by the enclave on boot (the code responsible for doing this is open source and the attestation is also included in the certificate so you can check that this is exactly what’s happening). We go into more detail in our attestation verification docs here: https://docs.tinfoil.sh/verification/attestation-architectur...
The provider cannot chose the attestation that is sent, the hardware assembles the attestation through mechanisms that it cannot control. That why it's called "trusted hardware" technology, you only need to trust the hardware (how it was implemented), and you don't need to trust the provider operating it.
I don't know, but archive sites could at least publish hashes of the content at archive time. This could be used to prove an archive wasn't tampered with later. I'm pretty underwhelmed by the Wayback Machine (archive.org), it's no better technically than archive.today.
How do you ensure the tampered content isn’t re-hashed? Usually if you’re saving the hash in advance, you can save the whole archived page. Otherwise, you can use a regular archive service then hash the archived page yourself.
The only way I know to ensure an archive isn’t tampered is to re-archive it. If you sent a site to archive.today, archive.org, megalodon.jp, and ghostarchive.org, it’s unlikely that all will be tampered in the same way.
A list of hashes (tuple of [hashed url+date metadata, hashed content]) takes much less disk space than the archive contents themselves. Archive websites could publish the list for all their content so it can be compared against in the future. People would save copies of the list. If you didn't store the list yourself ahead of time, and don't trust a third-party to be "the source of truth", the archive could've uploaded the hashes to the blockchain at archive time:
> is that there is a public forum post in which a guy claims to be the site owner.
Which forum post? The post mentioned by the blogger, the post on an F-Secure forum (a company with cybersecurity products) was a request for support by the owner of archive.today regarding a block of their site. It's arguably not intended as a public statement by the owner of the archive, and they were simply careless with their username.
To give credit, this a question I'm asking after reading this blog post, but a solution for the stifling unfairness of commercialization in open-source is something I've been thinking about for a good while. The essay "The Cathedral and the Bizarre" on https://marktarver.com is also worth reading, despite that I find some of the arguments to be in bad faith.
Do you think it's not enforceable because of that definition? Revenue of $1M alone (not net revenue) should be a rough proxy of organization size. If a company makes that kind of money it should be able organize its expenses to pay a reasonable price for the software they rely on. There could be an exception for non-profits, if it would make more sense. If companies were rational they would already be paying the reasonable amount for "normal" open-source software, since unmaintained software in their supply chain also can also become a problem for them.
BTPL (I just think BTPL is neat) has these concrete terms:
>You may use the software for the benefit of your [small business] if it meets all these criteria:
* had fewer than 20 total individuals working as employees and independent contractors at all times during the last tax year
* earned less than $1,000,000 total revenue in the last tax year
* received less than $1,000,000 total debt, equity, and other investment in the last five tax years, counting investment in predecessor companies that reorganized into, merged with, or spun out your company
> Do you think it's not enforceable because of that definition?
I think companies with millions or billions in revenue pay lawyers a lot to find loopholes in things like this.
> BTPL
I have no clue what that is, and I can't even find a reference to it anyway. All I found is a public library somewhere and something about a Pakistani power company or something.
> * had fewer than 20 total individuals working as employees and independent contractors at all times during the last tax year
That's simple to get around, and big companies already do it. Hire an external development agency. They might be sitting in your office but they're neither employees nor independent contractors.
Ultimately though, the point I made earlier is still the most relevant response. If you don't like OSS licences, don't use one. Use whatever you're comfortable with. But don't imagine for a moment that you're better able to identify the needs of every one else who writes software and does use an OSS licence.
Regarding BTPL, it's a license called Big Time Public License, which I mentioned in my original post. It was written by this guy that has written a bunch of experimental software licenses.[1]
If I were to choose a license in an informed way, I would want to really understand other people's choice of using OSS licenses. I almost exclusively use open-source/libre programs in my devices and make code contributions occasionally. I think I'm familiar with the ecosystem more than the commercial (proprietary) ecosystem. The freedom bestowed by owning the copy of the source code is very important in my opinion. While OSS is the best model we have right now, I and others see flaws, like dependency-chain failures, maintainer burnout and not-so-good incentives like keeping your system unpolished/hard to use so support can be your income.
Perhaps only 80% of the monetization will succeed because of loopholes, but suppose you can tack on monetization to an open-source license. It's still better than 0% monetization. In plain terms, my question is, even if it would no longer be real open-source (true), why wouldn't developers want that?
I'm trying to imagine something other than GPL. The fact that the GPL license is respected in the vast majority of cases, without a precedent being necessary is very exciting.
I think the author correctly identifies a dilemma of being unable to ignore AI's capabilities as it enables you to leave your old tools in the dust, but being apprehensive of cultivating dependency in the latest AI services. Progress is being undone in at least one front. The PC had transferred the ownership of the means of produ--I mean "democratized" the creation of art and communication. (and duh, computing)
However this lack of desire to create could be particular to the author. The author's visual art isn't appealing to me, and the taste I share with a lot of other people. If the gallery on the author's website[0] stands for skill the author says they'd been cultivating, it is my opinion that they seem to have liked painting and paintings less than creating algorithmic tools for the digital painting process. When AI showed up, algorithmic tools the author's made became comparatively dull to work with.
Does Org have a mechanism for escaping its own syntax? Last time I searched, to type *this* (keeping the asterisks) you had to insert a zero-width space (U+200B). In markdown you just escape them with \*this\*.
I've used the following, in addition to the "escape character" method (which is officially documented as the other commenter noted):
For in-line escaping, I use tilde-blocks ~ ~ ... as in ~~ . This type-sets in monospace (code format) in exports, which usually* is what one wants anyway, viz. to demarcate the symbol as being symbolised.
This summary is definitely useful as I'm myself a user of Org. I still think backslash escaping doesn't get to be annoying, and is a simple algorithm, which is important when you want to paste text into your org documents from other sources.
You can keep these tricks in mind while writing, but sometimes it's not you doing the writing. It could be pasted text, it could be a machine writing.
I think org-mode was never primarily about its rendered output. Most users probably, like me, spend a lot of time (hours every day) in various org-mode documents, staring at what is essentially the raw mark-up. Org-mode in Emacs makes only a few minor changes to how the text is displayed, like hiding link targets, so you rarely look at the output. I export less than 1% of my org documents, so usually I don't care at all about what formatting renders like, as long as I get the mark-up correct enough that org-mode itself is functional (links can be followed, sections collapsed etc). The few documents I do want to export I can imagine using workarounds like the zero-width spaces, but it is not like there is often a need to have things looking like org-mode mark-up in the output.
For me at least, worrying about escaping mark-up would be too distracting and just add noise, as the raw mark-up is what I will read anyway. But I think some good way to escape things would not be a bad thing to have.
BTW there are verbatim blocks that can be used when you have entire lines of non-org content. And of course src-blocks. But that obviously does not handle every case escapes could be useful.
That was some bad luck. I made an edit seconds after the post came rendered to get the formatting right. (On HN I expected to have to type \\\* to render \* but you just have to type \\*)
I understand your use case, I just think it makes it not worthy of comparisons to markdown.
So you can type *word* without it becoming bold? So an article can contain: "The logs come to about ~300 lines once you start the server with ~systemctl start fnord~"
The `code` equivalent in Org is ~code~. How do you type that without the Org highlighting removing the ~ from "~300 lines", thinking that the code snippet begins there? This is an example I got from grepping my org files for U+200B.
I see. Just gave it a try and backslash works as escape. Though also I'm probably unlikely to experience such issues myself as my Emacs theme shows formatting characters even after applying the formatting.
Still exports as <p>\~300 lines</p> (in case of an HTML export). In fact you could "escape it" with any character, the backslash isn't doing anything special, the formatting just doesn't trigger if there's no white space on one side. When I use Org I also do not have auto-formatting, as you do, but the highlighting would still be wrong. And it'd be masochistic to put up with that unless you've invested a lot into Org for other reasons.
Sounds to me like it's a shortcoming of the exporter then, to not remove the escape characters as appropriate. Though one would think others would've run into this issue and fixed it. Or perhaps you're missing some other prevalent alternative?
The highlighting corrects for me once I "escape" the "~300".
Isn't the aim to have the highlighting only apply to `~systemctl start fnord~`, and not have whatever you used to escape the "~300" appear in an export? Highlighting and exporting are 2 pretty distinct functions.
I use org a lot, in fact, it's my daily driver. I also have to deal with MySQL, and, if using the vertical output (what you get if you finish a query with '\G' instead of ';' it makes pasting into an org file a pain.
Sure, not a big pain, I just wrapped it in a function paste-from-mysql that appends the whitespace, but then I need to take out the whitespace of I want to paste that somewhere else. It would be nice to have org support some sort of 'do not interpret what comes next' block markers. I guess someone with enough time and skills could make this change but, alas, that's not me.
Thanks! I had actually seen that, but didn't realize that org does remove the leading comma when you extract a block to paste it somewhere else, which is great, because it means I need one less function.
Now I just need to keep my paste function, but have it add a leading comma instead of a space, and I need to use example instead of src (not a problem for this use case since, even though I normally paste them into sql src blocks, the syntax highlighting isn't that useful.
You gave me a nice little task for a rainy day, thanks :)
In an Org document that contains Org examples (e.g. if this article had been written in Org), even Emacs gets confused about rendering it. So you might find that sections in example text are evaluated as being part of top-level sections and collapsing is wonky, etc.
I run into this a lot with gptel. I use a main Org file for all my daily notes, and since gptel streams LLM output as Org (which is good), it conflicts with my main file. I have a post-processing function that converts headings into `#` to avoid this, but it's a hack I'd rather not do.
Hmm I'm still not seeing the issue. Why aren't the examples just lists under say an examples header? Or the LLM output? Maybe gptel is expecting output to be in a fresh file or at the top level? It should be a trivial fix to intent a level before inserting.
reply